User authentication in tornado websocket application

Question

User authentication in tornado websocket application

Now, I am improving my tornado skills and asking a question about user authorization.

And my solution is to create a secure token on the first page, and then send it with other data, from javascript to the tornado server, where user checks and authorizations are performed.

I think about cookies, but I do not know how I can read cookies in WebSocketHandler.on_message

What do you think? and where am I mistaken? Thanks

+8

python authentication tornado

yessi Dec 7 '11 at 9:02

source share

2 answers

Perhaps the client can make request headers with a fake user: "User =" ImFkbWxxxx == | XXXXXXXXXX | 9d847f58a6897df8912f011f0a784xxxxxxxxxx "

I think the following approach is better. If the user does not exist or if the cookie ID is incorrect or falsified, the get_secure_cookie function will not return the user

 class WebSocketHandler(tornado.websocket.WebSocketHandler): def open(self): user_id = self.get_secure_cookie("user") if not user_id: return None ...

+6

Guillaume vincent Mar 11 '13 at 11:43

source share

codeape · Accepted Answer · 2011-12-07T09:09:02+0000

I suggest you read cookies and secure cookies

User Authentication Third-Party Authentication

EDIT

I just realized that your question is about web maps. I believe that you can use the approach you described:

Create a cookie in the non-websocket part of your application.
Check cookie in websocket handler

You must have access to the request headers inside the websocket handler using self.request.headers .

User authentication in tornado websocket application

More articles: